package org.springframework.cloud.vault.config;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.concurrent.atomic.AtomicReference;
import org.springframework.beans.BeanUtils;
import org.springframework.boot.system.SystemProperties;
import org.springframework.cloud.vault.config.VaultProperties;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.util.StringUtils;
import org.springframework.vault.authentication.AppIdAuthentication;
import org.springframework.vault.authentication.AppIdAuthenticationOptions;
import org.springframework.vault.authentication.AppIdUserIdMechanism;
import org.springframework.vault.authentication.AppRoleAuthentication;
import org.springframework.vault.authentication.AppRoleAuthenticationOptions;
import org.springframework.vault.authentication.AwsEc2Authentication;
import org.springframework.vault.authentication.AwsEc2AuthenticationOptions;
import org.springframework.vault.authentication.AwsIamAuthentication;
import org.springframework.vault.authentication.AwsIamAuthenticationOptions;
import org.springframework.vault.authentication.AzureMsiAuthentication;
import org.springframework.vault.authentication.AzureMsiAuthenticationOptions;
import org.springframework.vault.authentication.ClientAuthentication;
import org.springframework.vault.authentication.ClientCertificateAuthentication;
import org.springframework.vault.authentication.ClientCertificateAuthenticationOptions;
import org.springframework.vault.authentication.CubbyholeAuthentication;
import org.springframework.vault.authentication.CubbyholeAuthenticationOptions;
import org.springframework.vault.authentication.GcpComputeAuthentication;
import org.springframework.vault.authentication.GcpComputeAuthenticationOptions;
import org.springframework.vault.authentication.IpAddressUserId;
import org.springframework.vault.authentication.KubernetesAuthentication;
import org.springframework.vault.authentication.KubernetesAuthenticationOptions;
import org.springframework.vault.authentication.KubernetesServiceAccountTokenFile;
import org.springframework.vault.authentication.MacAddressUserId;
import org.springframework.vault.authentication.PcfAuthentication;
import org.springframework.vault.authentication.PcfAuthenticationOptions;
import org.springframework.vault.authentication.ResourceCredentialSupplier;
import org.springframework.vault.authentication.StaticUserId;
import org.springframework.vault.authentication.TokenAuthentication;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.RestOperations;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.regions.Region;

/* loaded from: input_file:org/springframework/cloud/vault/config/ClientAuthenticationFactory.class */
class ClientAuthenticationFactory {
    private static final boolean googleCredentialPresent = ClassUtils.isPresent("com.google.api.client.googleapis.auth.oauth2.GoogleCredential", ClientAuthenticationFactory.class.getClassLoader());
    private static final boolean googleCredentialsPresent = ClassUtils.isPresent("com.google.auth.oauth2.GoogleCredentials", ClientAuthenticationFactory.class.getClassLoader());
    private final VaultProperties vaultProperties;
    private final RestOperations restOperations;
    private final RestOperations externalRestOperations;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/springframework/cloud/vault/config/ClientAuthenticationFactory$AwsCredentialProvider.class */
    public static class AwsCredentialProvider {
        private AwsCredentialProvider() {
        }

        private static AwsCredentialsProvider getAwsCredentialsProvider() {
            final DefaultCredentialsProvider create = DefaultCredentialsProvider.create();
            final AwsCredentials resolveCredentials = create.resolveCredentials();
            final AtomicReference atomicReference = new AtomicReference(resolveCredentials);
            return new AwsCredentialsProvider() { // from class: org.springframework.cloud.vault.config.ClientAuthenticationFactory.AwsCredentialProvider.1
                public AwsCredentials resolveCredentials() {
                    return atomicReference.compareAndSet(resolveCredentials, null) ? resolveCredentials : create.resolveCredentials();
                }
            };
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ClientAuthenticationFactory(VaultProperties vaultProperties, RestOperations restOperations, RestOperations restOperations2) {
        this.vaultProperties = vaultProperties;
        this.restOperations = restOperations;
        this.externalRestOperations = restOperations2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ClientAuthentication createClientAuthentication() {
        switch (this.vaultProperties.getAuthentication()) {
            case APPID:
                return appIdAuthentication(this.vaultProperties);
            case APPROLE:
                return appRoleAuthentication(this.vaultProperties);
            case AWS_EC2:
                return awsEc2Authentication(this.vaultProperties);
            case AWS_IAM:
                return awsIamAuthentication(this.vaultProperties);
            case AZURE_MSI:
                return azureMsiAuthentication(this.vaultProperties);
            case CERT:
                return certificateAuthentication(this.vaultProperties);
            case CUBBYHOLE:
                return cubbyholeAuthentication();
            case GCP_GCE:
                return gcpGceAuthentication(this.vaultProperties);
            case GCP_IAM:
                return gcpIamAuthentication(this.vaultProperties);
            case KUBERNETES:
                return kubernetesAuthentication(this.vaultProperties);
            case PCF:
                return pcfAuthentication(this.vaultProperties);
            case TOKEN:
                return tokenAuthentication(this.vaultProperties);
            default:
                throw new UnsupportedOperationException(String.format("Client authentication %s not supported", this.vaultProperties.getAuthentication()));
        }
    }

    private ClientAuthentication appIdAuthentication(VaultProperties vaultProperties) {
        VaultProperties.AppIdProperties appId = vaultProperties.getAppId();
        Assert.hasText(appId.getUserId(), "UserId (spring.cloud.vault.app-id.user-id) must not be empty");
        return new AppIdAuthentication(AppIdAuthenticationOptions.builder().appId(vaultProperties.getApplicationName()).path(appId.getAppIdPath()).userIdMechanism(getAppIdMechanism(appId)).build(), this.restOperations);
    }

    private AppIdUserIdMechanism getAppIdMechanism(VaultProperties.AppIdProperties appIdProperties) {
        try {
            return (AppIdUserIdMechanism) BeanUtils.instantiateClass(ClassUtils.forName(appIdProperties.getUserId(), (ClassLoader) null));
        } catch (ClassNotFoundException e) {
            String upperCase = appIdProperties.getUserId().toUpperCase();
            boolean z = -1;
            switch (upperCase.hashCode()) {
                case 273373380:
                    if (upperCase.equals(VaultProperties.AppIdProperties.MAC_ADDRESS)) {
                        z = true;
                        break;
                    }
                    break;
                case 1900462268:
                    if (upperCase.equals(VaultProperties.AppIdProperties.IP_ADDRESS)) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return new IpAddressUserId();
                case true:
                    if (!StringUtils.hasText(appIdProperties.getNetworkInterface())) {
                        return new MacAddressUserId();
                    }
                    try {
                        return new MacAddressUserId(Integer.parseInt(appIdProperties.getNetworkInterface()));
                    } catch (NumberFormatException e2) {
                        return new MacAddressUserId(appIdProperties.getNetworkInterface());
                    }
                default:
                    return new StaticUserId(appIdProperties.getUserId());
            }
        }
    }

    private ClientAuthentication appRoleAuthentication(VaultProperties vaultProperties) {
        return new AppRoleAuthentication(getAppRoleAuthenticationOptions(vaultProperties), this.restOperations);
    }

    static AppRoleAuthenticationOptions getAppRoleAuthenticationOptions(VaultProperties vaultProperties) {
        VaultProperties.AppRoleProperties appRole = vaultProperties.getAppRole();
        AppRoleAuthenticationOptions.AppRoleAuthenticationOptionsBuilder path = AppRoleAuthenticationOptions.builder().path(appRole.getAppRolePath());
        if (StringUtils.hasText(appRole.getRole())) {
            path.appRole(appRole.getRole());
        }
        AppRoleAuthenticationOptions.RoleId roleId = getRoleId(vaultProperties, appRole);
        path.roleId(roleId).secretId(getSecretId(vaultProperties, appRole));
        return path.build();
    }

    private static AppRoleAuthenticationOptions.RoleId getRoleId(VaultProperties vaultProperties, VaultProperties.AppRoleProperties appRoleProperties) {
        if (StringUtils.hasText(appRoleProperties.getRoleId())) {
            return AppRoleAuthenticationOptions.RoleId.provided(appRoleProperties.getRoleId());
        }
        if (StringUtils.hasText(vaultProperties.getToken()) && StringUtils.hasText(appRoleProperties.getRole())) {
            return AppRoleAuthenticationOptions.RoleId.pull(VaultToken.of(vaultProperties.getToken()));
        }
        if (StringUtils.hasText(vaultProperties.getToken())) {
            return AppRoleAuthenticationOptions.RoleId.wrapped(VaultToken.of(vaultProperties.getToken()));
        }
        throw new IllegalArgumentException("Cannot configure RoleId. Any of role-id, initial token, or initial token and role name must be configured.");
    }

    private static AppRoleAuthenticationOptions.SecretId getSecretId(VaultProperties vaultProperties, VaultProperties.AppRoleProperties appRoleProperties) {
        return StringUtils.hasText(appRoleProperties.getSecretId()) ? AppRoleAuthenticationOptions.SecretId.provided(appRoleProperties.getSecretId()) : (StringUtils.hasText(vaultProperties.getToken()) && StringUtils.hasText(appRoleProperties.getRole())) ? AppRoleAuthenticationOptions.SecretId.pull(VaultToken.of(vaultProperties.getToken())) : StringUtils.hasText(vaultProperties.getToken()) ? AppRoleAuthenticationOptions.SecretId.wrapped(VaultToken.of(vaultProperties.getToken())) : AppRoleAuthenticationOptions.SecretId.absent();
    }

    private ClientAuthentication awsEc2Authentication(VaultProperties vaultProperties) {
        VaultProperties.AwsEc2Properties awsEc2 = vaultProperties.getAwsEc2();
        return new AwsEc2Authentication(AwsEc2AuthenticationOptions.builder().role(awsEc2.getRole()).path(awsEc2.getAwsEc2Path()).nonce(StringUtils.hasText(awsEc2.getNonce()) ? AwsEc2AuthenticationOptions.Nonce.provided(awsEc2.getNonce().toCharArray()) : AwsEc2AuthenticationOptions.Nonce.generated()).identityDocumentUri(awsEc2.getIdentityDocument()).build(), this.restOperations, this.externalRestOperations);
    }

    ClientAuthentication awsIamAuthentication(VaultProperties vaultProperties) {
        VaultProperties.AwsIamProperties awsIam = vaultProperties.getAwsIam();
        AwsIamAuthenticationOptions.AwsIamAuthenticationOptionsBuilder builder = AwsIamAuthenticationOptions.builder();
        AwsCredentialsProvider awsCredentialsProvider = AwsCredentialProvider.getAwsCredentialsProvider();
        if (StringUtils.hasText(awsIam.getRegion())) {
            builder.region(Region.of(awsIam.getRegion()));
        }
        if (StringUtils.hasText(awsIam.getRole())) {
            builder.role(awsIam.getRole());
        }
        if (StringUtils.hasText(awsIam.getServerName())) {
            builder.serverName(awsIam.getServerName());
        }
        if (awsIam.getEndpointUri() != null) {
            builder.endpointUri(awsIam.getEndpointUri());
        }
        builder.path(awsIam.getAwsPath()).credentialsProvider(awsCredentialsProvider);
        return new AwsIamAuthentication(builder.credentialsProvider(awsCredentialsProvider).build(), this.restOperations);
    }

    private ClientAuthentication azureMsiAuthentication(VaultProperties vaultProperties) {
        VaultProperties.AzureMsiProperties azureMsi = vaultProperties.getAzureMsi();
        Assert.hasText(azureMsi.getRole(), "Azure role (spring.cloud.vault.azure-msi.role) must not be empty");
        return new AzureMsiAuthentication(AzureMsiAuthenticationOptions.builder().role(azureMsi.getRole()).path(azureMsi.getAzurePath()).instanceMetadataUri(azureMsi.getMetadataService()).identityTokenServiceUri(azureMsi.getIdentityTokenService()).build(), this.restOperations, this.externalRestOperations);
    }

    private ClientAuthentication cubbyholeAuthentication() {
        Assert.hasText(this.vaultProperties.getToken(), "Initial Token (spring.cloud.vault.token) for Cubbyhole authentication must not be empty");
        return new CubbyholeAuthentication(CubbyholeAuthenticationOptions.builder().wrapped().initialToken(VaultToken.of(this.vaultProperties.getToken())).build(), this.restOperations);
    }

    private ClientAuthentication gcpGceAuthentication(VaultProperties vaultProperties) {
        VaultProperties.GcpGceProperties gcpGce = vaultProperties.getGcpGce();
        Assert.hasText(gcpGce.getRole(), "Role (spring.cloud.vault.gcp-gce.role) must not be empty");
        GcpComputeAuthenticationOptions.GcpComputeAuthenticationOptionsBuilder role = GcpComputeAuthenticationOptions.builder().path(gcpGce.getGcpPath()).role(gcpGce.getRole());
        if (StringUtils.hasText(gcpGce.getServiceAccount())) {
            role.serviceAccount(gcpGce.getServiceAccount());
        }
        return new GcpComputeAuthentication(role.build(), this.restOperations, this.externalRestOperations);
    }

    private ClientAuthentication gcpIamAuthentication(VaultProperties vaultProperties) {
        if (googleCredentialPresent) {
            return GcpIamAuthenticationFactory.create(vaultProperties, this.restOperations);
        }
        if (googleCredentialsPresent) {
            return GcpIamCredentialsAuthenticationFactory.create(vaultProperties, this.restOperations);
        }
        throw new IllegalStateException("Cannot create authentication mechanism for GCP IAM. This method requires one of the following dependencies: google-auth-library-oauth2-http or google-api-client (deprecated).");
    }

    private ClientAuthentication kubernetesAuthentication(VaultProperties vaultProperties) {
        VaultProperties.KubernetesProperties kubernetes = vaultProperties.getKubernetes();
        Assert.hasText(kubernetes.getRole(), "Role (spring.cloud.vault.kubernetes.role) must not be empty");
        Assert.hasText(kubernetes.getServiceAccountTokenFile(), "Service account token file (spring.cloud.vault.kubernetes.service-account-token-file) must not be empty");
        return new KubernetesAuthentication(KubernetesAuthenticationOptions.builder().path(kubernetes.getKubernetesPath()).role(kubernetes.getRole()).jwtSupplier(new KubernetesServiceAccountTokenFile(kubernetes.getServiceAccountTokenFile())).build(), this.restOperations);
    }

    private ClientAuthentication pcfAuthentication(VaultProperties vaultProperties) {
        VaultProperties.PcfProperties pcf = vaultProperties.getPcf();
        Assert.isTrue(ClassUtils.isPresent("org.bouncycastle.crypto.signers.PSSSigner", getClass().getClassLoader()), "BouncyCastle (bcpkix-jdk15on) must be on the classpath");
        Assert.hasText(pcf.getRole(), "Role (spring.cloud.vault.pcf.role) must not be empty");
        PcfAuthenticationOptions.PcfAuthenticationOptionsBuilder path = PcfAuthenticationOptions.builder().role(pcf.getRole()).path(pcf.getPcfPath());
        if (pcf.getInstanceCertificate() != null) {
            path.instanceCertificate(new ResourceCredentialSupplier(pcf.getInstanceCertificate()));
        }
        if (pcf.getInstanceKey() != null) {
            path.instanceKey(new ResourceCredentialSupplier(pcf.getInstanceKey()));
        }
        return new PcfAuthentication(path.build(), this.restOperations);
    }

    private ClientAuthentication certificateAuthentication(VaultProperties vaultProperties) {
        return new ClientCertificateAuthentication(ClientCertificateAuthenticationOptions.builder().path(vaultProperties.getSsl().getCertAuthPath()).build(), this.restOperations);
    }

    private ClientAuthentication tokenAuthentication(VaultProperties vaultProperties) {
        if (StringUtils.hasText(vaultProperties.getToken())) {
            return new TokenAuthentication(vaultProperties.getToken());
        }
        Path path = Paths.get(SystemProperties.get(new String[]{"user.home"}), ".vault-token");
        if (!Files.exists(path, new LinkOption[0])) {
            throw new IllegalStateException("Cannot create authentication mechanism for TOKEN. This method requires either a Token (spring.cloud.vault.token) or a token file at ~/.vault-token.");
        }
        try {
            return new TokenAuthentication(new String(Files.readAllBytes(path), StandardCharsets.UTF_8));
        } catch (IOException e) {
            throw new IllegalStateException(String.format("Could not retrieve vault token from %s", path), e);
        }
    }
}
